test

/in /by

The SonicWall Capture Labs threat research team have observed reports of spam inviting people to view an “image” in which they are supposedly present.  The “image”, which in our case was named IMG148150.jpg.js is actually a file containing malicious Javascript downloader code.  Once executed, Avaddon is downloaded and run in the background.

 

Infection Cycle:

 

IMG148150.jpg.js contains the following script:

 

Upon running the script, sava.exe is downloaded from hxxp://217.8.117.63/sava.exe and executed.  It displays the following message on the desktop background:

 

The following command is run to remove shadow copies on the system:

wmic.exe SHADOWCOPY /nointeractive and vssadmin.exe Delete Shadows /All /Quiet

 

Files on the system are then encrypted by the malware.  431680-readme.html is copied into all directories containing encrypted files. 431680-readme.html contains the following page:

 

avaddonbotrxmuyl.onion leads to the following page hosted on the tOr network:

 

After entering the ID provided in the html page, the following page is presented asking for $500 USD in Bitcoin to be paid to 32rmhhgJaCDEaB2RGv3joCc5K75niYtxZ5:

 

The site provides a chat interface in order to communicate with the operators and possibly negotiate.  We tried to reach out to the operators using this interface but received no response:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: BitsAdmin.N (Trojan)
  • GAV: Avaddon.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New wave of malicious XLS files spreading Zloader

/in /by

The SonicWall Capture Labs Threat Research Team has observed a new wave of malicious Excel files distributing Zloader.

From the onset of 2020, we have observed malware campaigns using the Macro 4 feature available in Microsoft Excel, which we have written about in our previous blog posts.

Thus far, malicious Excel files used for spreading Zloader have contained  the following characteristics:

  • Two Sheets: Some of them had one visible sheet  and one other sheet hidden whereas in others both the sheets are visible
  • Auto_Open name is not visible in the Name Manager dialog box; and
  • Excel in-built functions CHAR or MID were used to operate upon cell data which were later joined using concatenation operator ‘&’ to construct further instructions

Fig-1: Excel file used earlier by Zloader

Transformations observed in this new wave of MS-Excel files :

  • Excel has more than 2 sheets with one visible worksheet and remaining sheets, including a macro sheet, are hidden
  • Auto_Open is visible in the name manager dialog box;
  • Data is simply retrieved from cells, joined using a concatenation operator to construct further instructions; and

This re-modelling gives the file a more legitimate appearance.


Fig-2: Excel with visible and hidden sheets


Fig-3: Auto_Open name visible in Name Manager dialog box

 

Fig-4: Plain cell data reading and concatenation

 

These files were created either on 3rd or 4th June 2020 which indicates the freshness of samples and RTDMI detection effectiveness.

 


Fig-5: RTDMI Detection

Indicators Of Compromise:

SHA256 of Malicious MS-Excel files:

  • 41879c115ae2a85d0a136d62b6169e95756f0b9bd8f47e32238a4e2e26e0fc03
  • 5c264ad2647000a4e260ff5f60df04a2d9b24676dc7b4bc45e07e1b70c053b0c
  • cffef738b2ec86d56432f0a988cf4a8511bf813515edc91b2e1d6729d5f1cfef
  • 0c47d7fe4c8d6563fd4c616080703a974d04694658b23c2d36ecc03b03eeec32
  • b24019b7b02989bb5e02e5243d704d63bab71442613574a7d4a3a69a8b36541e
  • 9c1d837a523f86c8117be3a607f1910e248993e6e77c47bb86b17eec2503e627
  • 56a662fcfaa103edd1fc45ed24c7e974662136a95c2191e65f46702b4d98a7ea
  • 0e186d534befcd860e2618d4cf77af6180effe42b07cecde75164142e2090ff4
  • 2a0d637ff6bcdf1fd37905fb84926e7ef35190fc62e97f3305b1da65b9f15a8f
  • f83f7117ddab2be46f57000e3623a22f15f46da2c4878000bb8de87c9b2ebba9

Network Connectivity:

  • https://destgrena[.]at/3/tsk.dll

SHA256 of payload:

  • 444a977a2d0768f115fef0704a3f067d937823877a8202a4796425a58f49b6e0
  • 1526e62be6b34c6ea39220569f90e44cf04efccaa4b4ed75af8a4f669f10b2e9
  • 06a297b1c6b0b25ef3cc3ca6c77ad62e2ff5bd801c8cb9c081fbb4ea90d313fa
  • 363d8b43541e37ae9b25a5fd6b6eef5245fc667c449b3d37e45a3de15d60780b
  • 6c95e2eeeb98b0557a849e972ad26d2c77e7d9d8bfbd45ec680cfb6eb508667c
  • 8cbe7c61e8b1bd3d2187b9e7f10449dfcb4f20c309cf768433f164dc83149a1a
  • 327b41d9bcad614f2e62b3e838ae9a1237dc0bd3ed17c59e1290abf596e5f178
  • b22779f52daffae57465b8becfa4e19240304d6e835ffe4448fa4d5588a2e9cc
  • e27bcec6ccb48108abdf87328d0e260de1036df851af20317061da2419734d1f

 

Cybersecurity News & Trends – 06-05-20

/0 Comments/in /by

This week, cybercriminals took a more hands-on approach, a new breed of ransomware bided its time, and computers got too hot to handle.

SonicWall Spotlight

Test Platform Leaks Bank Of America Clients’ Covid-19 PPP Loan Applications — SC Magazine

  • Bank of America has disclosed that its third-party test platform briefly exposed Paycheck Protection Program applications to outside parties. According to SonicWall’s Dmitriy Ayrapetov, the leak was due to a rushed effort by the bank to finish the data platform, resulting in holes in its security.

Boundless Cybersecurity For The New Work Reality — SC Magazine

  • The adoption of work-from-home has moved us into a hyper-distributed IT landscape. With 100-percent-remote employees conducting online meetings and connecting via email, mobile and cloud, the perimeter has vanished into a multitude of endpoints spread across the globe.

Cybersecurity News

New Tycoon ransomware targets both Windows and Linux systems — Bleeping Computer

  • A new human-operated ransomware strain is being deployed in highly targeted attacks on small- to medium-size organizations in the software and education industries.

Large-scale attack tries to steal configuration files from WordPress sites — ZDNet

  • In an attempt to steal database credentials, attackers tried to download configuration files from WordPress via old vulnerabilities in unpatched plugins.

‘Scorching-hot hacked computer burned my hand’ — BBC

  • At least a dozen supercomputers across Europe had to be shut down last week due to cryptojacking attacks. One individual found out the hard way that his was one of them.

USBCulprit malware targets air-gapped systems to steal govt info — Bleeping Computer

  • The newly revealed USBCulprit malware is designed for compromising air-gapped devices via USB.

Cybersecurity warning: Hackers are targeting your smartphone as way into the company network — ZDNet

  • Campaigns targeting smartphones have risen by a third in just a few months, many with the end goal of opening a portal to corporate networks.

Denial of service attacks against advocacy groups skyrocket — Cyberscoop

  • A new report suggests that advocacy sites are being targeted at a rate more than four times that of U.S. government websites such as police and military organizations.

Ransomware gang says it breached one of NASA’s IT contractors — ZDNet

  • DopplePaymer ransomware gang claims to have breached DMI, a major U.S. IT and cybersecurity provider and a NASA IT contractor.

Anonymous, aiming for relevance, spins old data as new hacks — Cyberscoop

  • The group is trying to use the nationwide protests to draw attention to data that was stolen years ago.

Apple fixes bug that could have given hackers full access to user accounts — Ars Technica

  • Sign In With Apple — a privacy-enhancing tool that lets users log in to third-party apps without revealing their email addresses — just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.

Suspected Hacker Faces Money Laundering, Conspiracy Charges — Bank Info Security

  • According to the U.S. Department of Justice, a New York City man is facing federal charges after being arrested at John F. Kennedy Airport with a PC allegedly containing thousands of stolen credit card numbers.

An advanced and unconventional hack is targeting industrial firms — Ars Technica

  • Attackers are putting considerable skill and effort into penetrating industrial companies in multiple countries, with hacks that use multiple evasion mechanisms, an innovative encryption scheme, and exploits that are customized for each target.

PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time — Threat Post

  • Microsoft has warned of a new breed of “patient” ransomware that lurks in networks for weeks before striking.

In Case You Missed It

A Message from our CEO: Listening, Learning and Standing Together

/0 Comments/in /by

On June 5, 2020, the below message was sent from SonicWall CEO Bill Conner to all employees.

SonicWall Team,

We’ve all been watching over the past week as a tragic event in the United States touched off outcries and calls for justice and reform, not only around the United States, but also around the world.

After thoughtfully considering how to address this important topic, I am convinced that we should not just be asking what the right words are for expressing our rejection of all forms of discrimination. Rather, we should also be asking how we can make our communities more safe and more equitable for everyone, and, perhaps more importantly, how we can take action.

I want to be clear that I stand with other business and community leaders in condemning racial injustice and discrimination in any form and calling on our leaders, organizations and neighbors to listen and learn from all voices, and to take action.  We can and must stand together to create positive change wherever we are able to.

Listen and Learn: Knowledge is our Best Defense

Too often, the injustices and attacks we see are a product of ignorance and a lack of open communication and exposure. What that tells me is that our best defense against being part of the problem is knowledge and transparency. We need to take time to listen, communicate openly and respectfully and be willing to change when change is called for.  We must also accept that we cannot truly understand the struggles of another person if we have not walked a few miles in their shoes.

Our SonicWall family is a diverse, global team made up of almost all cultural backgrounds, ethnicities and colors. That diversity is a fundamental strength. I have been fortunate to have spent nearly four decades working at SonicWall and other multi-national and multi-cultural organizations.  During that time, I have learned that when we listen with the objective to understand, engage with each other on our merits and work together toward a common cause, differences in our appearances and backgrounds fade.  We become one team.

I urge all of us to take a step back and seriously consider how we can better listen and learn from the people who don’t look like us or share our beliefs, backgrounds or cultures. Lasting change starts with an individual accountability for how we treat each other and, ultimately, how we will choose to act.

Standing Together for Change

At this time, I want to issue a challenge to our entire SonicWall family. There are dedicated individuals and organizations who have been working for years to combat the issues that are at the forefront of the news headlines.  I urge each of us to find causes in our communities that need our time and talents, and to volunteer our services. I also encourage each of us to support organizations that are promoting these changes: Please consider making a donation to organizations such as the NAACP Legal Defense Fund, Color of Change or the Black Lives Matter Foundation within the next few weeks.

To demonstrate our commitment as a company and an executive team at SonicWall, we will match your donations made to one of these organization or a similar organization advocating for equality during the month of June.  We also make additional donations to similar causes in the coming months. The HR team will be sending details on each the organizations mentioned above, and how to record your donation for matching purposes.

I’m proud to work each day with a diverse and talented group of employees around the world. Let’s continue to be ONE team and make a difference in our homes and communities.

Listen, learn and stand together for positive change.

Sincerely,

Custom Build Your Security Strategy with the SonicWall Boundless Cybersecurity Bundle

/0 Comments/in /by

“One size fits all.” It’s a nice idea, isn’t it?

For ties and wristwatches, maybe.

For just about everything else, “one size fits all” is simply a nice way of saying “tailored for no one” — especially when it comes to cybersecurity bundles. With all the different tools, services, options and solutions that can go into a bundle, what are the odds that the bundles being offered will fit your particular business needs?

In the end, you often wind up with something you hadn’t planned to buy, or maybe didn’t even need, just to get a good deal. But if you’re forced to buy something you can’t use, are you actually saving money?

Imagine if you had the option to specify what you’d like to bundle together. How often would you opt for the pre-packaged bundle, if you had the option not to?

Traditional bundles offer two options: Take it, or leave it. But business needs — and use cases — are more complex than ever before. Organizations are now protecting a boundless workforce, with boundless exposure points. So why should your cybersecurity packages box you in?

That’s why SonicWall is introducing the limited-time Boundless Cybersecurity Bundle promotion. What’s in it? Whatever you’d like, with just a couple of conditions. Regardless of your use case, you can take only what you need, and none of what you don’t.

Best of all, the more you buy, the more you save. Purchase a qualifying product, including any firewall (or virtual firewall) with Advanced Gateway Security Services (AGSS), any Secure Mobile Access (SMA/SMAv), or a four- or eight-pack of wireless access points, and receive incremental discounts on each different solution added to that transaction, up to five total.

By leveraging SonicWall’s disruptive economics, you’ll get security tailored to your needs, all at a lower price than if you’d purchased each solution separately.

Whether you’re trying to comply with HIPAA, PCI-DSS, FIPS or other regulations; extend wireless across a construction site; protect a utility from ransomware; give remote employees access to key business data; or implement web filtering (CIPA) for elementary students, there’s a set of SonicWall products, services and solutions to fit your needs.

Your Boundless Cybersecurity Bundle is specific to you, and specific to your business use cases, because you built it from the ground up. And each is backed by SonicWall’s nearly three decades of experience securing businesses of all sizes against the most advanced and sophisticated cyberattacks.

So you get a customized solution and lower total cost of ownership, all from a company that nearly 500,000 organizations already trust with their cybersecurity needs.

To start building your Boundless Bundle, contact SonicWall or your partner.

Promotion begins June 3, 2020, and ends July 31, 2020, and is only available for purchases in NOAM and EMEA. In EMEA, only registered deals qualify for this promotion. This promotional offering may not be combined with any other sale, promotion, discount, rebate, coupon, or offering nor may it be used in conjunction with stock rotations. Discounts may vary depending on participation in programs offered by SonicWall and will be applied to only one solution per purchase transaction per end user customer during the promotion period. SonicWall’s MSRP will be used to calculate the final purchase price. A qualifying product must be purchased with one of the additional products listed. The qualifying product chosen must be different from the additional products chosen. The solution must be created to meet an end user customer’s request and must be reasonable for the end users intended use (e.g. meet the end customer’s intended licensed seat usage). Incremental discounts increase only as qualifying products that are different from each other are added to the solution. Proposed solutions and discounts granted are at SonicWall’s sole discretion. Only purchases of products that the end customer has not previously purchased qualify for the promotion. The purchase of qualifying physical or virtual firewalls must include one (1) year of the SonicWall Advanced Gateway Security Suite (AGSS). Additional terms and conditions may apply. All end user customer purchases are subject to the term and condition located at: www.sonicwall.com/legal. SonicWall is not responsible errors or omissions nor for the acts or omissions of any third party. This offer may be modified, discontinued or terminated by SonicWall at any time without notice.